just another infosec blog

Cascading MySQL mishap

A couple days ago I was doing some routine cleanup on a remote hosted site. I have paid access to this server and was working with the MySQL CLI tool. Both username and password is intricate. Just for the hell of it I tried one silly thing – connecting to the server using stock credentials. Voila – instant access. Was this only local for that site or not? Follow me in the quest for finding out!

About the hosting company

This hosting company is small and offer their services for cheap. Just like anyone else in the same segment. Even though I know exactly the platform offered I must put myself into context of an intruder. The very first thing I did was to enter their support page to find out what I’m dealing with here. Support FAQ claims they are running *AMPP. However they do not disclose which version of MySQL or which operating system. Also – the FAQ also mentions that you can access the PHPMyAdmin tool by prefixing “.db” to your URL. Handy information – and this is the basis for what we are going to do.

Since they are just an SMB, it means that they most likely have a very limited pool of IP addresses. Hence, they must be hosting multiple sites on the same address. In theory this could be a security risk since “any” mistakes might cascade through the entire stack of sites. Like in this scenario.

We’re now armed with pretty much what we need so – we just need a wee script to do the “heavy” lifting.

Investigation

Obtaining a list of targets

We assume they are hosting multiple sites on the same address – so let’s find out which sites exists. We are going to use an online service offered by “You Get Signal” in order to obtain such list.

Execute this in CLI mode by issuing following (your setup may vary) command:
php.exe dbconnect.php sites_list.txt

What happens here?

This script will read the entire input list of sites and traverse it. For each URL it prefixes it with “db.” and tries to connect to by using common credentials (username root, empty password). If success, notify the user – else continue to process URL’s until empty.

Obtaining MySQL version and name of the operating system

If any of the URL’s is vulnerable it means you can connect to it by issuing following command in CLI, or similar:
mysql -uroot -p -h prefixedurl

Most likely you will not be able to perform any actions heres – but look at the header. It will reveal the name of the operating system and the MySQL version. Mission done. Armed with this information you might be able to find an exploit or two.

Aftermath

I did not find a vast amount of vulnerable sites – only quite a few. But nevertheless – they were vulnerable alright. But so what you might ask? If we know which operating system they run and which version, plus which version of the database server we can go hunting for exploits. The hosting company could be running a really outdated version of any of the tools said and would most likely be an easy target.

The web hosting company was notified two days ago but they have yet to respond.

Update August 11th:
Support has not replied to this notification. I have sent another support request on this issue. If they don’t respond within two days I’ll be disclosing the name of this hosting service.